Between 2018 and 2019, Chrome introduced Site Isolation, a security feature that prevents attackers from using renderer or side-channel exploits to access sensitive cross-site data. The feature is not without limitations, some of which are well known and documented. This talk introduces another one. Specifically, we will show how an attacker with a renderer exploit can leak sensitive cross-site URLs, including and especially those that carry sensitive authentication tokens that allow for a full account takeover in many websites. This talk is also the story of a high-risk Chromium bug report that remained open for over six years. We will see what makes this issue so difficult to fix, discuss potential mitigating factors, and investigate alternate ways of leaking sensitive URLs from the renderer process.
Ivan Fratric is a tech lead and a security researcher at Google Project Zero. In his research work, he mainly focuses on remote attack surfaces and tooling. Previously, he worked on the Google Security Team and, before that, at the University of Zagreb where he received his PhD. He has been publishing security research for almost two decades and is the author of multiple open-source security tools.
